Nagios & Ubuntu 9.04 – Part 2

So here we are again.  In part 2 of my Nagios & Ubuntu 9.04 guide, I will show you how you can turn your basic and insecure installation into one that isn’t so blatantly dumb.  Anyone who wishes to delve into the world of internet technology should always be reading and keeping up with the latest news.  I’m talking about the ever changing landscape of the technology world.  Every day, there are new viruses, exploits, bugs and security holes that are found.  The only way to keep up with something like this is to always be reading.  Just because it’s secure today, doesn’t mean it’s secure tomorrow!

Today we cover digest authentication using Apache 2 and Nagios 3.  Unlike part 1, this should be much quicker.  Even though this guide is for Nagios for the most part.  Pretty much everything we have to configure is in Apache.

Problem

Apache with it’s default configuration is a insecure web server.  But don’t get me wrong, it is only like that for simplicity sake.  It is up to the administrator to secure it, and there are tons of easy ways to do this.  By default, Apache uses basic authentication.  Which allows the use for login’s and passwords, the problem is with basic authentication. Any login’s and passwords used are sent in clear text between the user and the web server.  Allowing any network packet sniffing software to grab and reveal your session information to anyone with less than half a brain to find it.

Solution

Digest Authentication.  This method of authentication will stop sending your authentication requests in clear text.  It will instead allow user identity to be established in a better secured fashion by using MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis.  In short, no more clear text authentication.  More on this topic can be found here.  Digest authentication is only the first steps one should take to securing their webserver’s.  It is not an end all be all solution.

So, in part 1 we left off at the point where we had installed Nagios installed and monitoring the local server with basic apache authentication.

Source Installed Nagios

1. Start by creating a new password file using the ‘htdigest’ tool.  Place the new password file in the same directory you placed your original ‘htpasswd.users’ file. You may create an entirely different password or use the same as before as we are creating a brand new password file for digest auth.

$ sudo htdigest -c /usr/local/nagios/etc/.digest_pw "Nagios Access" nagiosadmin

2. Next we must modify the Apache configuration file ‘nagios.conf’ for Nagios.  (according to the Nagios documentation this can be typically found in ‘/etc/httpd/conf.d/’ however in Ubuntu when installed with aptitude it is located in ‘/etc/apache2/conf.d’)

$ sudo nano /etc/apache2/conf.d/nagios.conf

3. Here is what it should currently look like

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER # Last Modified: 11-26-2005 # # This file contains examples of entries that need # to be incorporated into your Apache web server # configuration file.  Customize the paths, etc. as # needed to fit your system.   ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"   <Directory "/usr/local/nagios/sbin"> #  SSLRequireSSL Options ExecCGI AllowOverride None Order allow,deny Allow from all #  Order deny,allow #  Deny from all #  Allow from 127.0.0.1 AuthName "Nagios Access" AuthType Basic AuthUserFile /usr/local/nagios/etc/htpasswd.users Require valid-user </Directory>   Alias /nagios "/usr/local/nagios/share"   <Directory "/usr/local/nagios/share"> #  SSLRequireSSL Options None AllowOverride None Order allow,deny Allow from all #  Order deny,allow #  Deny from all #  Allow from 127.0.0.1 AuthName "Nagios Access" AuthType Basic AuthUserFile /usr/local/nagios/etc/htpasswd.users Require valid-user </Directory>

4. We will need to modify lines 21, 22, 38, and 39

21 22

AuthType Basic AuthUserFile /usr/local/nagios/etc/htpasswd.users

5. Lines 21 and 22 should be modified to this

21 22

AuthType Digest  AuthUserFile /usr/local/nagios/etc/.digest_pw

6. Lines 38 and 39 should be modified to this

38 39

AuthType Digest  AuthUserFile /usr/local/nagios/etc/.digest_pw

7. Save and exit nano. And then move to ‘/etc/apache2/mods-enabled/’

$ cd /etc/apache2/mods-enabled/

8. List the directory and see if you have ‘auth_digest.load’ linked within the ‘mods-enabled’ directory

$ ls
alias.conf            authz_user.load  dir.load          php5.load
alias.load            autoindex.conf   env.load          setenvif.conf
auth_basic.load       autoindex.load   mime.conf         setenvif.load
authn_file.load       cgi.load         mime.load         status.conf
authz_default.load    deflate.conf     negotiation.conf  status.load
authz_groupfile.load  deflate.load     negotiation.load
authz_host.load       dir.conf         php5.conf

9. By default it usually is not linked, if that is the case we must now link it so that Apache can use the ‘auth_digest.load’ module.

$ sudo ln -s /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enabled/auth_digest.load

10. List the ‘mods-enabled’ directory again to verify it is now linked.

$ ls
alias.conf            authz_host.load  dir.conf          php5.conf
alias.load            authz_user.load  dir.load          php5.load
auth_basic.load       autoindex.conf   env.load          setenvif.conf
auth_digest.load      autoindex.load   mime.conf         setenvif.load
authn_file.load       cgi.load         mime.load         status.conf
authz_default.load    deflate.conf     negotiation.conf  status.load
authz_groupfile.load  deflate.load     negotiation.load

11. Restart the Apache server

$ sudo /etc/init.d/apache2 restart
* Restarting web server apache2 ... waiting .                          [ OK ]

12. Thats it, you should now go back to your browser and login again.

Aptitude Installed Nagios

1. Start by creating a new password file using the ‘htdigest’ tool.  Place the new password file in the same directory you placed your original ‘htpasswd.users’ file

$ sudo htdigest -c /etc/nagios3/.digest_pw "Nagios Access" nagiosadmin

2. Next we must modify the Apache configuration file ‘nagios.conf’ for Nagios. (according to the Nagios documentation this can be typically found in ‘/etc/httpd/conf.d/’ however in Ubuntu when installed with aptitude it is located in ‘/etc/apache2/conf.d’)

$ sudo nano /etc/apache2/conf.d/nagios3.conf

3. Here is what it should currently look like

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

# apache configuration for nagios 3.x # note to users of nagios 1.x and 2.x: #       throughout this file are commented out sections which preserve #       backwards compatibility with bookmarks/config forolder nagios versios. #       simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.   ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3 ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3 # nagios 1.x: #ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3 #ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3 # nagios 2.x: #ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3 #ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3   # Where the stylesheets (config files) reside Alias /nagios3/stylesheets /etc/nagios3/stylesheets # nagios 1.x: #Alias /nagios/stylesheets /etc/nagios3/stylesheets # nagios 2.x: #Alias /nagios2/stylesheets /etc/nagios3/stylesheets   # Where the HTML pages live Alias /nagios3 /usr/share/nagios3/htdocs # nagios 2.x: #Alias /nagios2 /usr/share/nagios3/htdocs # nagios 1.x: #Alias /nagios /usr/share/nagios3/htdocs   <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)> Options FollowSymLinks   DirectoryIndex index.html   AllowOverride AuthConfig Order Allow,Deny Allow From All   AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios3/htpasswd.users # nagios 1.x: #AuthUserFile /etc/nagios/htpasswd.users require valid-user </DirectoryMatch>   # Enable this ScriptAlias if you want to enable the grouplist patch. # See http://apan.sourceforge.net/download.html for more info # It allows you to see a clickable list of all hostgroups in the # left pane of the Nagios web interface # XXX This is not tested for nagios 2.x use at your own peril #ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi # nagios 1.x: #ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi

1. We will need to modify lines 40 and 41

21 22

AuthType Basic AuthUserFile /etc/nagios3/htpasswd.users

2. Lines 21 and 22 should be modified to this

21 22

AuthType Digest  AuthUserFile /etc/nagios3/.digest_pw

3. Save and exit nano.Then move to ‘/etc/apache2/mods-enabled/’

$ cd /etc/apache2/mods-enabled/

4. List the directory and see if you have ‘auth_digest.load’ linked within the ‘mods-enabled’ directory

$ ls
alias.conf            authz_user.load  dir.load          php5.load
alias.load            autoindex.conf   env.load          setenvif.conf
auth_basic.load       autoindex.load   mime.conf         setenvif.load
authn_file.load       cgi.load         mime.load         status.conf
authz_default.load    deflate.conf     negotiation.conf  status.load
authz_groupfile.load  deflate.load     negotiation.load
authz_host.load       dir.conf         php5.conf

5. By default it usually is not linked, if that is the case we must now link it so that Apache can use the ‘auth_digest.load’ module.

$ sudo ln -s /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enabled/auth_digest.load

6. List the ‘mods-enabled’ directory again to verify it is now linked.

$ ls
alias.conf            authz_host.load  dir.conf          php5.conf
alias.load            authz_user.load  dir.load          php5.load
auth_basic.load       autoindex.conf   env.load          setenvif.conf
auth_digest.load      autoindex.load   mime.conf         setenvif.load
authn_file.load       cgi.load         mime.load         status.conf
authz_default.load    deflate.conf     negotiation.conf  status.load
authz_groupfile.load  deflate.load     negotiation.load

7. Restart the Apache server

$ sudo /etc/init.d/apache2 restart
* Restarting web server apache2 ... waiting .                          [ OK ]

8. Thats it, you should now go back to your browser and login again.

Tags: apache digest exploits nagios passwords ssl web server